SEC 2323

Systems Programming

3 – Memory Management

1
OS structure
} The OS sits between application programs and the hardware
} it mediates access and abstracts away ugliness
} programs request services via exceptions (traps or faults)
} exceptions are caused by software executing instructions
} devices request attention via interrupts
} interrupts are caused by hardware devices

P2 P3
P1 P4
dispatch

exception
OS interrupt

D1 start i/o D4
D2 D3

2
OS structure
} An OS consists of all of these components, plus:
} many other components
} system programs (privileged and non-privileged)
} e.g., bootstrap code, the init program, …

} Major issue:
} how do we organize all this?
} what are all of the code modules, and where do they exist?
} how do they cooperate?
} Massive software engineering and design problem
} design a large, complex program that:
} performs well, is reliable, is extensible, is backwards compatible,
…

3
Background
} Program must be brought (from disk) into memory and placed within a
process for it to be run"
} Main memory and registers are the only storage CPU can access directly"
} Memory unit only sees a stream of addresses + read-requests, or address +
data and write-requests"
} Register can be accessed in one CPU clock (or less)"
} Main memory access can take many cycles, causing a stall!
} Cache sits between main memory and CPU registers, typically on CPU
chip"
} Protection of memory required to ensure correct operation"
between processes from OS and users, and between processes from users"
} provided by hardware support, otherwise too costly to involve OS"

4
Memory management
} The primary memory (or RAM) is the directly accessed
storage for the CPU via registers and cache memory:
} programs must be stored in memory to execute
} memory access is fast (e.g., 60 ns to load/store)
} but most memory doesn’t survive power failures

} OS must:
} allocate memory space for programs (explicitly and implicitly)
} deallocate space when needed by rest of system
} maintain mappings from physical to virtual memory
} through page tables (hardware support feature)
} decide how much memory to allocate to each process
} decide when to remove a process from memory

5
Memory Hierarchy

cache virtual memory

C
CPU 8B a 32 B 4 KB
Memory disk
c
regs h
e

Register Cache Memory Disk Memory

size: 32 B 32 KB-4MB 1024 MB 100 GB
speed: 1 ns 2 ns 30 ns 8 ms
$/Mbyte: $125/MB $0.20/MB $0.001/MB
line size: 8B 32 B 4 KB

Larger … slower … cheaper …

6
Basic Program Execution Registers
} Registers are high speed memory inside the CPU
} Eight 32-bit general-purpose registers
} Six 16-bit segment registers
} Processor Status Flags (EFLAGS) and Instruction Pointer (EIP)
32-bit General-Purpose Registers
EAX EBP
EBX ESP
ECX ESI
EDX EDI

16-bit Segment Registers

EFLAGS CS ES
SS FS
EIP
DS GS

} More details and practical execution with nasm will be in the Lab
7
Problems with Memory
1. What if we don’t have enough memory? Q: How much memory
can you access with 32 bit
Ø MIPS gives each program each own 32 bit address space address?
• 230 bytes= 1 GB
Ø Let suppose a program need 4GB of memory. • 232 bytes= 4 GB
• 232 words = 16 GB
Ø Program can access any address in its 32-bit address space.
A: 232 bytes= 4 GB
Ø What if we don’t have 4GB of memory? A 32 bit address space
1GB Physical gives you theoretically
Program Address 4GB of memory. In
Space (4GB) Memory practice, the OS reserves
0x00000000 some if it is so closer to
2GB of usable space.

Crash if try to
access more
than 1 GB

0xFFFF FFFF

8
Problems with Memory ..
2. Holes in address space
Program1(1GB)
Program2(2GB) Program3(2GB)

0x00000000

ØProgram 1 and Program 2 fit in the

memory, and use 1+2 =3GB.
ØQuit Program 1
ØCan`t run program3 even though we have
enough Memory

0xFFFF FFFF
32 bit physical
Address Space
(4GB)

9
Problems with Memory ..
3. How do we keep programs secure?
} Each program can access any address in RAM.

Wr
Program1(1GB) ite 1. Program 1 store
40 0x00000000
00 bank balance at
20 to a
48 dd 2048
res
s
2. Program 2 store
s 40000
4000 game score at 2048
dres
o ad
00t
e
0
40 2048 They corrupt or crash
Program2(2GB) Writ
each other
0xFFFF FFFF

32 bit physical
Address Space
(4GB)

10
Virtual Memory
} Memory management technique that is implemented using both
hardware and software.
} It maps memory addresses used by a program, called virtual addresses,
into physical addresses in computer memory.
} Address translation hardware in the system, often referred to as a memory
management unit or MMU, automatically translates virtual addresses to
physical addresses
} Segmentation
} Segmentation provides a mechanism of isolating individual code, data, and
stack modules.
} Each program divided into segments. Each segment can have different size.
} Paging provides a mechanism for implementing a conventional
demand-paged, virtual-memory system where sections of a program’s
execution environment are mapped into physical memory as needed.
} Paging can be used to provide isolation between multiple tasks.
11
Logical vs. Physical Address Space
} The concept of a logical address space that is bound to a separate physical
address space is central to proper memory management"
} Logical address – generated by the CPU; also referred to as virtual address!
} Physical address – address seen by the memory unit (MMU)“

} Logical and physical addresses are the same in compile-time and load-time
address-binding schemes!
} Logical (virtual) and physical addresses differ in execution-time address-
binding scheme!

} Logical address space is the set of all logical addresses generated by a

program"
} Physical address space is the set of all physical addresses generated by a
program"

12
Paging
} Physical address space of a process can be noncontiguous; process is
allocated physical memory whenever the latter is available
} Avoids external fragmentation
} Avoids problem of varying sized memory chunks
} Divide physical memory into fixed-sized blocks called frames
} Size is power of 2, between 512 bytes and 16 Mbytes

} Divide logical memory into blocks of same size called pages!

} Keep track of all free frames
} To run a program of size N pages, need to find N free frames and load
program
} Set up a page table to translate logical to physical addresses
} Backing store likewise split into pages
} Still have Internal fragmentation

13
 Memory in Paging

Page Table Virtual

LA to PA Mapping
Address Space
VA PA
24575 Physical
Address Space
20480 16383
20479
12288
16384 12287
16383
0-4095 4096-8191 8192
12288 8191
12287
4096
8192 4095
What is the physical address 8191
for virtual address 300? 0
4096
4095
4096+300
0
14
 Virtual Memory ..
Without Virtual Memory With Virtual Memory
Program Address = RAM Address Program Address Maps to RAM Address

Program Address 1GB Physical Program Address 1GB Physical

Space (4GB) Memory Space (4GB) Memory
0 0
1 1
2 2 MAP
… …

swap
Cras
h
Disk

15
Swapping
} A process can be swapped temporarily out of memory to a backing store, and then brought
back into memory for continued execution"
} Total physical memory space of processes can exceed physical memory"
} Backing store – fast disk large enough to accommodate copies of all memory images for all
} users; must provide direct access to these memory images"
} Roll out, roll in – swapping variant used for priority-based scheduling algorithms"
} lower-priority process is swapped out so higher-priority process can be loaded and executed"
} Major part of swap time is transfer time; total transfer time is directly proportional to the
amount of memory swapped"
} System maintains a ready queue of ready-to-run processes which have memory images on
disk"
} Does the swapped out process need to swap back in to same physical addresses?"
} Depends on address binding method"
} Plus consider pending I/O to / from process memory space"

16
Virtual Memory: Solving Problem1
} Not enough RAM in the system
} Map some of the program`s address space to the disk
} When it need, bring to memory.

Program Loads VM map address

Address 0 0 to ram1
Program Address 1GB Physical VM map address
Program Loads Space (4GB) Memory 1 to ram0
Address 1
0 1 VM map address
Program Loads 1 02 3 to ram 2
Address 3 2 MAP 3
Program Loads 3
Address 2 2
ØPage Fault
ØReplace Physical
memory frame
with new vale
ØUpdate Map
Disk
17
Page Fault: What happens if a page is
not in RAM?
} Page Table Entry says the page is on disk
} Hardware (CPU) generates a page fault exception
} The hardware jumps to the OS page fault handler to clean up
} The OS chooses a page to evict from RAM and write to disk
} If the page is dirty, it needs to be written back to disk first ( “Dirty”
means the data has been changed (written). If the page has not been
written since it was loaded from disk, then it doesn’t have to be written
back.)
} The OS then reads the page from disk and puts it in RAM
} The OS then changes the Page Table to map the new page
} The OS jumps back to the instruction that caused the page fault.
} (This time it won’t cause a page fault since the page has been loaded.)

18
Virtual Memory: Solving Problem 2
} Holes in address space
} We can map program`s address space into RAM as we like.

Program Address
Space (4GB)
Program2(2GB) MAP 2

ØCan Map
different virtual
pages to different
physical pages
Program3(2GB) MAP

19
Virtual Memory: Solving Problem 3
} Keep Program Secure
} Two programs map same virtual address to different physical address

Wr
Program1(1GB) ite
40
ad d t o 0 0 Ma 1. Program 1 store
res pV
s 20
48 MAP1 A2
To 048 bank balance at
PA
X 2048
4000
2. Program 2 store
game score at 2048
00 Map VA 2048
t e 400
MAP2 To 40000
Program2(2GB) i
Wr to PA Y
048
re ss 2
ad d

32 bit physical
Address Space
(4GB)
20
Is program isolation is always good

21
Address Translation: An Overview

Physical Address
Logical Address

Linear Address
Translation Translation
Logical to Linear Linear to Physical

CPU Segmentation Physical

Paging Unit
Unit Memory

22
Making VM works: translation overview
} How does a program access memory?
} 1. Program executes a load specifying a virtual address (VA)
} 2. Computer translates the address to the physical address (PA) in memory
} 3. (If the physical address (PA) is not in memory, the operating system loads it in
from disk)
} 4. The computer then reads the RAM using the physical address (PA) and
returns the data to the program

23
Making VM works: translation overview
(2)
} How does a program access memory?
} 1. Program executes a load specifying a virtual address (VA)
} 2. Computer translates the address to the physical address (PA) in memory
} 3. (If the physical address (PA) is not in memory, the operating system loads it in
from disk)
} 4. The computer then reads the RAM using the physical address (PA) and
returns the data to the program

24
Making VM works: translation overview
(3)
} How does a program access memory?
} 1. Program executes a load specifying a virtual address (VA)
} 2. Computer translates the address to the physical address (PA) in memory
} 3. (If the physical address (PA) is not in memory, the operating system loads it in
from disk)
} 4. The computer then reads the RAM using the physical address (PA) and
returns the data to the program

25
Making VM works: translation overview
(4)
} How does a program access memory?
} 1. Program executes a load specifying a virtual address (VA)
} 2. Computer translates the address to the physical address (PA) in memory
} 3. (If the physical address (PA) is not in memory, the operating system loads it in
from disk)
} 4. The computer then reads the RAM using the physical address (PA) and
returns the data to the program

26
 VM Address Translation
V = {0, 1, . . . , N–1} virtual address space N>M
P = {0, 1, . . . , M–1} physical address space

MAP: V ® P U {Æ} address mapping function

MAP(a) = a' if data at virtual address a is present at physical
address a' in P
= Æ if data at virtual address a is not present in P
page fault
fault
Processor handler

Hardware Æ
Addr Trans Main Secondary
a Mechanism Memory memory
a'
OS performs
virtual address part of the physical address this transfer
on-chip
memory mgmt unit (MMU) (only if miss)

27
 VM Address Translation
} Parameters
} P = 2p = page size (bytes).
} N = 2n = Virtual address limit
} M = 2m = Physical address limit
n–1 p p–1 0
virtual page number page offset virtual address

address translation

m–1 p p–1 0
physical page number page offset physical address

Notice that the page offset bits don't change as a result of translation

28
 Page Tables

Virtual Page Memory resident

Number page table
(physical page
Valid or disk address) Physical Memory
1
1
0
1
1
1
0
1
0 Disk Storage
1 (swap file or
regular file system file)

29
Address Translation via Page Table
page table base register virtual address
n–1 p p–1 0
VPN acts as virtual page number (VPN) page offset
table index
valid access physical page number (PPN)

if valid=0
then page
not in memory m–1 p p–1 0
physical page number (PPN) page offset
physical address

30
 Address translation step by step
} The program generates VA (32 bit)
} The processor divide this address into virtual page number and page offset.
} Suppose an example of page size 4kb and 32 bit VA address
} 212=4kb
VA
20 bit 12 bit

Tells which page Virtual page number # Page offset Tells where in the page we are
in the processor
we are talking Lest consider the following 32 bit address
about Physical memory
FC519 08B Tells where in the
4kb page we are

00152 0015208B

Page table
31
Virtual memory summary
} VM adds a level of indirection between the virtual program addresses (VA)
and the physical RAM addresses (PA)
} This allow us to do lots of cool things:
} Map memory to disk (“unlimited” memory)
} Keep programs from accessing each other’s memory (security)
} Fill holes in the RAM address space (efficiency)
} But, we have to translate every single memory access from a VA to a PA
} Page Tables for each program keep track of all translation
} Use larger pages (4kB) to reduce the number of Page Table Entries (PTEs)
needed
} Fast translation via a hardware translation lookaside buffer (TLB)
} Need to combine the TLB and the cache for good performance

32
Questions # 1
} Suppose 16 bit virtual address space
} 20 bit physical address space
} Determine the physical address of the following two VA using the following
page table?
VA PA
0x1F 0xF0F0 è
0x3F
0x23
0x17 0x001F è

33
Questions # 2
} Suppose physical memory size is 2Gb
} Virtual memory size is 4Gb
} Page size 4kb

} How many page frames?

} How many entries in each page table ?

34
Memory layout
All programs are stored in memory

4G 0xffffffff

In reality, these are

The process’s view virtual addresses;
of memory is that the OS/CPU map
it owns all of it them to physical
addresses

0 0x00000000

36
The instructions themselves are in
memory

4G 0xffffffff

Text
0 0x00000000

37
Location of data areas
4G 0xffffffff
Set when
process starts cmdline & env
Stack int f() {
int x;
…
Runtime

Heap malloc(sizeof(long));
Uninit’d data static int x;
Known at Init’d data static const int y=10;
compile time
Text
0 0x00000000

38
Memory allocation
Stack and heap grow in opposite directions

0x00000000 0xffffffff
Heap Stack

push 1
Stack push 2
pointer push 3

39
Memory allocation
Stack and heap grow in opposite directions

0x00000000 0xffffffff
Heap 1 Stack

push 1
Stack push 2
pointer push 3

40
Memory allocation
Stack and heap grow in opposite directions

0x00000000 0xffffffff
Heap 2 1 Stack

push 1
Stack push 2
pointer push 3

41
Memory allocation
Stack and heap grow in opposite directions
Compiler emits instructions adjust
the size of the stack at run-time

0x00000000 0xffffffff
Heap 3 2 1 Stack

push 1
apportioned by the OS;
Stack push 2
managed in-process
pointer push 3
by malloc
return

Focusing on the stack for now

42
Stack and function calls
} How the program use the stack while it is running?

} What happens when we call a function?

} What data needs to be stored?
} Where does it go?
} What happens when we return from a function?
} What data needs to be restored?
} Where does it come from?

43
 Basic stack layout
void func(char *arg1, int arg2, int arg3)
{
char loc1[4]
int loc2;
...
}

0xffffffff
… loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data
Local variables Arguments
pushed in the pushed in
same order as reverse order
they appear of code
in the code

The local variable allocation is ultimately up to the compiler: Variables could be allocated in any
order, or not allocated at all and stored only in registers,
depending on the optimization level used.

44
Accessing variables
void func(char *arg1, int arg2, int arg3)
{
... Q: Where is (this) loc2?
loc2++;
...
}

0xffffffff
… loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data

0xbffff323
Can’t know absolute
address at compile time
But can know the relative address
• loc2 is always 8B before ???s

45
Accessing variables
void func(char *arg1, int arg2, int arg3)
{
... Q: Where is (this) loc2?
loc2++;
... A: -8(%ebp)
}

0xffffffff
… loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data

%ebp Stack frame

Frame pointer for func

But can know the relative address

• loc2 is always 8B before ???s

46
Returning from functions
int main()
{
...
func(“Hey”, 10, -3);
... Q: How do we restore %ebp?
}

0xffffffff
… loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data

%ebp Stack frame

for func %ebp

47
Returning from functions
int main()
{
...
Q: How do we restore %ebp?
func(“Hey”, 10, -3);
...
}

%esp
0xffffffff
%ebp ??? arg1 arg2 arg3 caller’s data

Stack frame
%ebp %ebp
for func

Push %ebp before locals

Set %ebp to current (%esp)
Set %ebp to(%ebp) at return

48
Returning from functions
int main()
{
...
func(“Hey”, 10, -3);
... Q: How do we resume here?
}

0xffffffff
… loc2 loc1 %ebp ??? arg1 arg2 arg3 caller’s data

Stack frame
%ebp %ebp
for func

49
The instructions themselves are in
memory

4G 0xffffffff

%eip
Text
0 0x00000000

50
The instructions themselves are in
memory

4G 0xffffffff

%eip

Text
0 0x00000000

51
Returning from functions
int main()
{
...
func(“Hey”, 10, -3);
... Q: How do we resume here?
}

0xffffffff
… loc2 loc1 %ebp ???
%eip arg1 arg2 arg3 caller’s data

Stack frame
%ebp %ebp
for func

Set %eip to 4(%ebp) Push next %eip

at return before call

52
Stack and functions: Summary
} Calling function:
} 1.Push arguments onto the stack (in reverse)
} 2.Push the return address, i.e., the address of the instruction you
want run after control returns to you
} 3.Jump to the function’s address
} Called function:
} 4.Push the old frame pointer onto the stack (%ebp)
} 5.Set frame pointer (%ebp) to where the end of the stack is right
now (%esp)
} 6.Push local variables onto the stack
} Returning function:
} 7.Reset the previous stack frame: %esp = %ebp, %ebp = (%ebp)
} 8.Jump back to return address: %eip = 4(%esp)

53
Buffer overflows
Buffer overflows from 10,000 ft
} Buffer =
} Contiguous memory associated with a variable or field
} Common in C
} All strings are (NUL-terminated) arrays of char’s

} Overflow =
} Put more into the buffer than it can hold

} Where does the overflowing data go?

} Well, now that you are an expert in memory layouts…

55
Benign outcome
void func(char *arg1)
{
char buffer[4];
strcpy(buffer, arg1);
...
}
int main()
{
char *mystr = “AuthMe!”;
func(mystr);
...
}

Upon return, sets %ebp to 0x0021654d

M e ! \0

A00 00
u 00t 00h %ebp
4d 65 21 00 %eip &arg1

buffer
SEGFAULT (0x00216551) (during subsequent access)
56
Security-relevant outcome
void func(char *arg1)
{
int authenticated = 0;
char buffer[4];
strcpy(buffer, arg1);
if(authenticated) { ...
}
int main()
{
char *mystr = “AuthMe!”;
func(mystr);
...
}

Code still runs; user now ‘authenticated’

M e ! \0

A00 00
u 00t 00h 4d00 65 210000
00 00 %ebp %eip &arg1
buffer authenticated

57
Could it be worse?
void func(char *arg1)
{

E !
D
char buffer[4];
strcpy(buffer, arg1);

O
...

C
}

All ours!
00 00 00 00 %ebp %eip &mystr
buffer
strcpy will let you write as much as you want (til a ‘\0’)

What could you write to memory to wreak havoc?

58
Operating Systems
& Networks

Questions

59